The Importance of Controls

Before your IT audit commences, it might be helpful to meet with the auditors and request a list of all the controls they'll be testing. Not only will this give you an indication of their hot spots, it lets them know you're interested in ensuring a successful audit.

Ultimately, auditors are trying to identify controls implemented by management to limit risk. After a control is identified, its efficacy is tested. The auditor's job is to provide an independent opinion on the state of controls, and, more importantly, any risks.

In my experience, though, IT and management don't think in terms of controls. This is a problem because if you can't articulate your IT controls to an auditor, you're leaving yourself open to the auditor more or less deciding for you what your controls should be. However, if you can point to a written information security policy and then demonstrate the procedures and configuration steps by which you comply with that policy, you inspire confidence and retain more influence during the audit because the auditor must first assess controls that are in place.

Understanding the types of controls can help you limit risk and satisfy your auditor. Preventive controls are usually the preferred type because their purpose is to prevent an intrusion or loss. Preventive controls include password policies, patching, and change control processes.

Detective controls don't prevent something from happening but allow you to detect problems and respond. For instance, the monitoring of security logs is usually considered a detective control. Sometimes the only control possible is detective. For instance, there really aren't any preventive controls available to limit the risk presented by an administrator who becomes malicious (although there are checks and balances one can implement). But a properly designed monitoring system can at least collect an audit trail of administrator activity.

Sometimes detective controls can become deterrent controls. An audit trail of administrator activity might include periodic spot checks of administrator activity. Knowing about the spot checks and being aware that the audit trail is available for investigations can deter administrators from malicious acts.